This post is a little out of the blue, however, Google Domains appears to be selling all their domains to Squarespace domains, therefore, if you’re currently using Google, it will be automatically moved over at some point in the future.
Preface/background first and technical moving at the bottom, need to set the scene ⬇️⬇️⬇️
Questions, Yes many!!
Yes, I had lots of questions stuff like are they any good, what features do you get with and you Squarespace registrar, how good is the customer services or for that matter technical support when stuff goes wrong?
Support Options 🛟
this was the one that shocked me the most, since I moved Google Domains I’ve really had no reason to contact support services a Park for when their website didn’t work as expected, but I’ve got run this by being able to import zones as BIND files, however, the customer support for Google Domains is bad, very bad, according to sites like Trustpilot - which also shocked me that the other Provide that I was looking to move with also got equally bad reviews, but surely you only need to worry about technical services when things go wrong right?
Well, on my mission to find out what features I would get with my new provider I found many things I really really didn’t like, there is no way to move the main over early so I thought I’d buy a domain to see what my options were…..
Squarespace the truth 🧚♀️
yes, the website make the transition look fantastic but unfortunately you have very little control of your domain when you moved to this particular registrar, first of all, it’s potluck who will actually own your domains, in the demo domain, I purchased I got to Tucows
then you get onto the feature set or options you can configure, there is no email management, so that goes over your options to do email forwarded mailboxes, however, they are linked up with Google workspace so if you’d like a full blown Google workspace e-mail that starts at £5.90 per User per month.
DNS management was very weak, no option for DNSSEC, the records you are allowed to create a very minimal compared to other providers, and the website was full of suggestions about why you should buy a squarespace website….
Moving right along to websites, if you did not want to do a web forwarding address, you essentially had to use the squarespace product or other partnered services to redirect your website, quite disappointing here, the website made it look like it was a very clean and feature rich management portal, it’s not it’s very very basic.
if you’re about basic settings because you don’t really want to get involved in all the technical DNS management then I’m sure it will be absolutely fine, but if someone does want to possibly make the domain secure, and have extra security features, it’s really not that great.
Calculating Options 👨💻
Do you have quite a few places that can manage your domain, so the usual ones popped into my head:
Namescheap
Cloudflare
Domain.com
Hover
Gandi
Uniregistry
What should I do? 🐏
Namescheap for a fantastic website that’s very manageable, however, if you’re just interested in email, forwarding many of those mail servers you will be using will be on one black list or another - however, for the domain I purchased all 4 servers were on the same blacklist, when I contacted Support about this observation, they kept me holding for 10 minutes and then never got back to me
Namescheap also have a fantastic WordPress integration called EasyWP - which is an absolute breeze to set up, very easy to manage, and you get a pretty little interface that tells you how your instance health is getting on.
Very impressed with how easy it was to set up and then link it to the domain, I had just recently purchased, but in a couple of days, it was online I went through a phase of receiving lots of HTTP 504 errors, which is obviously the lovely time out error, so my website was replaced with an undocumented bug 🐜 (which is actually quite a common occurrence if you read their forums)
Domain.com did not really excite me with their management features, and seem to offer very basic domain management, plus everything is in USD, which means depending on the bank you wish you may have to pay a conversion handling fee with your bank.
Uniregistry have unfortunately been purchased by GoDaddy - and I’m very sorry, but I am not having a registrar called GoDaddy - are you may decide that’s a fantastic idea, but no, absolutely not for me.
Gandi is good but there but there services are again basic and you get no enhanced security controls like you do with other providers, its also very basic from the management side, but you do get lots of management options like DNS, DNSSEC, mail forwarding, web forwarding - but with the website forwarding it can take 4 hours for the changes to apply consistently.
Cloudflare, could it be ? 🦖
Cloudflare is an amazing DNS and security service, that now offers itself as a registrar which is fantastic , so lets let the domain working in a test domain on a test blogger first before we move the production domain, this is the test domain called "grizzybear.uk"
Then you can also break the performance down into rather helpful charts if you are into that.....
You also get e-mail forwarding which is fantastic as you can see here:
Then you can specify custom addresses and have a rule to "drop" people not on that list, but the drop does not send an NDR, it accepts the message and drops the mail internally, you can see this below:
So this shows that I have got 6 e-mails of which 4 have been forwarded and then 2 have been dropped, the dropped ones were not on the list above as custom addresses.....
Any that is enough charts and analytics lets get the test domain moved, please remember this is the test domain grizzybear.uk once it is proved on this domain, we will commence on the live domain, so lets begin
Warning: Please remember you can break your website/domain if you do this wrong, this will break all the services provided by DNS which can include website, e-mail, SPF, DMARC, DKIM, BIMI - I can accept the responsibility for outages caused by following this blog!!!!!
Remember: Once you move your domain remember you cannot move it again for 60 days, choose wisely ⚔️
Lab 🧪 it out : Before moving your live and production domain, please test your theory and technical abilities with a test domain, please do not be the person that moves a live domain with no safety net or testing!!!!
Test Domain : Theory ProvingPre-Flight Checks ✈️
- Disable DNSSEC
- Wait for DNSSEC to be removed and unpublished (48 hours)
- Make no DNS changes on old NS servers (ideally)
- Unlock Domain
- If you are moving a co.uk domains then set IPS tag to new registrar
- If you are moving any other domain extension, obtain authorization code
- Initiate Transfer process - preserve current NS (if available)
- Transfer in process
- Transfer Complete
Ultimately I did not move to Cloudflare due to using the Blogger platform, but its been left in to help other out from confusion!
Right so the domain is grizzybear.uk, so we need to create a new blogger account to test with, so for that login to blogger and then click the dropdown on your list of blogs and choose the "new blog"
Then give that a name:
Then you need to give it a BlogSpot name which will be the primary domain, this does not matter as it will not be used....
Once that is complete navigate to the Settings section.....
Then under Setting>Publishing find the custom domain and click it......
You will now need to enter the domain name, you will not be allowed to add the root domain (I hate the term naked domain)
This means this will require a www before the domain name like this, if your domain registrar is not "supported" you will be given the DNS records to create for this to work......here I have done this before so I do not get this option.....you need to lick save.
Then you should now see this in the Publishing section, the custom domain should be there and the "redirect domain" should be enabled to redirect the "root" domain as below:
Then you need to create the CNAME records, here you can see the CNAME records added as a "www" and a "vwd7upg2434a" record, notice they are proxied which means they use the full Cloudflare experience
How you need to go back to the HTTPS section of the Blogger website and you will notice that the HTTPS is offline
You will need to enable this so it starts the pending process, like this:
If you try the visit the website during this time you will get this error, as the certificate has not been generated and Cloudflare cannot establish an SSL connection to the Blogger site, this means again you need to wait!
This is because you CNAME records are "proxied" in Cloudflare, so in Cloudflare navigate to the DNS records section and find the two CNAME records and edit edit then turn off the proxied status so it is DNS only, as below:
Ensure you do this with both records as it will require both of the records to generate the certificate, here you can see both are DNS only now:
You may notice after updating the CNAME records to DNS only, that your website completely fails to load to now, this is temporary.
Then in Blogger under the HTTPS section, turn off the HTTP availability and turn it back again to force it to try again
Right now you have a certificate, and the website will work when you visit it with the name in this example www.grizzybear.uk but not if you visit it as grizzybear.uk - so you have half fixed it but lets check the DNS in Cloudflare...I seem to be missing the A records for the root domain, so lets add those in as below:
This means if you visit https://www.grizzybear.co.uk then you get the correct website as you can see here:
However if you visit the root domain https://grizzybear.uk you get this error about a handshake failure as you can see here:
This is down to the fact the Cloudflare is the proxy and it cannot handle the redirection as you are not using the internet records you are using the Cloudflare proxy records, which means you need to create a Page Rule to get this working as designed.
To add a Page Rule from the Cloudflare menu choose Rules>Page Rules
Then you need to add this rule, which essentially takes traffic on https://grizzybear.uk and forwards it to https://www.grizzybear.uk with a forwarding request using a 302 (as this will be permanent) this is shown below:
That will then show in the main rules section, ensure that the action is set to enable as below:
Then the moment you enable this rule, ka-ching you website is now online from the root domain as you can see here:
nmap --script ssl-cert -p 443 www.grizzybear.uk
You get this, but there is an issue here, the issue is in bold below, but the certificate will only last until the 15th November 2023, on this date it will require a renew the renew process will fail so after 3 months you blogger site will have an expired certificate......
Then if you query for the A record you get the IP for the Cloudflare proxy solution, this is not what the SSL updating process is expecting.
Non-authoritative answer:
However if you go to the Cloudflare DNS and make that record DNS only not proxied as you can see below:
Now when you check the CNAME you will get the correct response from the DNS sever, this is shown below:
Non-authoritative answer:
This now means that the SSL certificate can update, but only with the non-proxied connection from Cloudflare, so the question I have is that for this to function you seem to have to have Cloudflare in DNS Only mode, which removes all the protection and point of using Cloudflare, so lets set all the records to DNS only and check back after replication.
Right, so since removing the proxy, I can now see the public DNS records correctly:
Non-authoritative answer:
This has bypassed Cloudflare, but what does that do to the website, well now we have bypassed Cloudflare the website works as expected, both the root domain and the full domain load spot on all the time, but why use Cloudflare only to bypass it.
This only covers the website here, and remember I am using Blogger, if you have static content or a website from WordPress then this will not be an issue, I find this is an issue as I am using Blogger, and while I like Blogger until its "sunset" by Google - that is my choice.
NOTE: I will not transfer to Cloudflare as my registrar while I am using Blogger as its been a bit of a journey to get it working, and its far to manual to keep everything working.
⚽️ Gandi : Moving the Blog
Right, now you have the preface from the Cloudflare move, I will now move another blog I have with more content than the one before with Gandi, first we need to set the custom domain, here we can see this is for www.diepiggydiedie.com which is another domain I have this time on Gandi:
Gandi however lets you view the BIND DNS records which is amazing, and it lets you create with the DNS commands as well, so here they are:
6u5owy4ctjhk 10800 IN CNAME gv-dmv6ocehd7e2yx.dv.googlehosted.com.
www 10800 IN CNAME ghs.google.com.
If you remember from before these are required for the automatic certificate updates, once created get the HTTPS availability enabled, however unlike the last time we are straight in this time.....
Now we need to add the A records which will take care of the root domain queries for Blogger which can be done with these commands for Gandi
@ 10800 IN A 216.239.32.21
@ 10800 IN A 216.239.34.21
@ 10800 IN A 216.239.36.21
@ 10800 IN A 216.239.38.21
Then while we are there, as Blogger is supported in IPv6 we can add the AAA records for IPv6 for the root domain queries:
@ 10800 IN AAAA 2001:4860:4802:32::15
@ 10800 IN AAAA 2001:4860:4802:34::15
@ 10800 IN AAAA 2001:4860:4802:36::15
@ 10800 IN AAAA 2001:4860:4802:38::15
Right, now we are all done, so lets visit the website on https://diepiggydiedie.com and https://www.diepiggypiepie.com and see if the site loads as it should, remember that https://dieppiggydiedie.com will be redirected to the WWW version, so if one works the other should work.....
That confirms it, both addresses work with minimal effort and all the automation is still valid, that looks good for the main site to me.
Gandi : email forwarding
This is simple for forwarding under the e-mail option you navigate to Forwarding address>Create a forwarding address:
Then you provide the e-mail you require and the address you want the e-mails sent to and then click create.....
I will need a couple of these for the production domain, but its that simple.
Gandi : DNS/DNSSEC
This is mega simple here, the NS (name servers) are all set in this instance, they are not the old NS records, but this is what it looks like
Then for DNSSEC this is already enabled and active - and I can confirm that I am using LiveDNS (which is the name for their DNS servers)
Gandi : Web forwarding
This is something that Cloudflare could not do very well due to the technical nature of trying to get Cloudflare DNS and Google CDN working together, but with Gandi its a breeze, the redirection is for photos and restricted, the DNS commands to point them at the redirect service is this:
photos 10800 IN CNAME webredir.gandi.net.
restricted 10800 IN CNAME webredir.gandi.net.
Then Gandi will configure this in the background for me, you cannot as a customer configure the webredit.gandi.net services:
Gandi : DMARC
This has obviously been set, this is the record as per the management DNS commands, this tells me we are rejecting 100% of e-mails not passing the matching criteria.
_dmarc 10800 IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:lee@diepiggydiedie.com;ri=86400;aspf=r;adkim=r;fo=s"
Gandi : SPF
This is indeed set to include Gandi mail servers for the test:
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
However for the production domain it will look more like this:
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net include:_spf.google.com ?all"
Gandi : TXT Records
The only records for the domain diepiggydiedie.com are the SPF and DMARC records and we can confirm all these records are active and valid.
Gandi : External Check
This is a pass as well, we only use DMARC and SPF and they are all green, finally as we use mailbox forwarding it is not this domain that will send e-mails so it does not require DKIM and I do not use BIMI.
Gandi : Lock Domain
This is the last thing I can think of with the test domain before the live move of the current domain, this I can confirm is locked to Gandi
All these are a pass for the diepiggydiedie.com domain as you can see below, and they are explained above:
- Lock domain
- Add website forwards (where applicable)
- Add mail forwards (where applicable)
- Add SPF
- Add DMARC
- Add DKIM
- Add TXT records (where applicable)
- Switch over NS servers
- Enable and Sign DNSSEC
Right first thing, lets get the pre-flight check list from before:
Live : Pre-Flight Checks ✈️
- Disable DNSSEC
- Wait for DNSSEC to be removed and unsigned (48 hours)
- Make no DNS changes on old NS servers (ideally)
- Unlock Domain
- If you are moving a co.uk domains then set IPS tag to new registrar
- If you are moving any other domain extension, obtain authorization code
- Initiate Transfer process - preserve current NS (if available)
- Transfer in process
- Transfer Complete
The transfer had already been added as you can see here this is the live domain:
If you look at the information about that transfer you will see that the IPS tag has not been set to GANDI, which confirms the fact the domain is locked and cannot be moved.....
Domain is currently locked, however when we go to set the IPS tag it will ask you to unlock the domain, as you can see here:
550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces.
This will then complete the transfer
Then you will see the domain in your new registrar as below:
Live : Post-Flight Checks ✈️
- Switch NS servers
- Enable DNSSEC
- Lock Domain
- Import DNS Zone
Therefore to move my NS to the correct location I needed to use the "Gandi LiveDNS" option and apply it as below:
Enable DNSSEC
Once here click the "Enable DNSSEC" button and hey presto, its active.
Lock Domain
Import DNS zone
Then I need the records to add from my old domain provider which are these, which will point the website at Blogger and then add the SPF and DMARC records:
You also have these records however they require the configuration of the redirect service as well and as they are they tell you nothing, its just a place to direct traffic for the redirector to take care of: